8a5658fe5aae0d3c0d9c882a2c212ec855f6059a438ca9382430f06ab7ea08fd

Analysis

max time kernel
422s
max time network
1141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qyd priv pred/qpred-setup.exe
Size

83.3MB
MD5

53e4003e2f973d76d725327f9a00374c
SHA1

396988c2a64b24f82c16b075430acfef8fb2e45b
SHA256

b17cb39f3d9da2e11a0f098e075fbd104327cbcf2143ccee63fb1510810a9d09
SHA512

0e45f43153c4ea80a50fffd1a29ff953d589f30f0f0866a05a3e7f594bc95e8f8b579d24f48c397d3e871df280abb1eacccd65b39447cbf9d0d33d14e42f7bda
SSDEEP

1572864:IKB7vFQqMrlpA+Ql4OdHxTivfSioqiASrrIo:IKBJykl9Hxen1obr0

Score

8^/10

credential_access discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4428	powershell.exe
4484	powershell.exe
2100	powershell.exe
336	powershell.exe

Loads dropped DLL 52 IoCs

pid	Process
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/files/0x00070000000238f6-835.dat	upx
behavioral6/memory/548-838-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp	upx
behavioral6/files/0x00070000000234f3-841.dat	upx
behavioral6/memory/548-847-0x00007FFD861C0000-0x00007FFD861E5000-memory.dmp	upx
behavioral6/files/0x000700000002352f-846.dat	upx
behavioral6/memory/548-849-0x00007FFD865B0000-0x00007FFD865BF000-memory.dmp	upx
behavioral6/files/0x00070000000234f1-850.dat	upx
behavioral6/memory/548-852-0x00007FFD861A0000-0x00007FFD861BA000-memory.dmp	upx
behavioral6/files/0x00070000000234f7-853.dat	upx
behavioral6/memory/548-855-0x00007FFD86060000-0x00007FFD8608D000-memory.dmp	upx
behavioral6/files/0x0007000000023530-857.dat	upx
behavioral6/files/0x000700000002352e-856.dat	upx
behavioral6/files/0x00070000000234ff-876.dat	upx
behavioral6/files/0x00070000000234fd-874.dat	upx
behavioral6/files/0x00070000000234fc-873.dat	upx
behavioral6/files/0x00070000000234fb-872.dat	upx
behavioral6/files/0x00070000000234fa-871.dat	upx
behavioral6/files/0x00070000000234f9-870.dat	upx
behavioral6/files/0x00070000000234f8-869.dat	upx
behavioral6/files/0x00070000000234f6-868.dat	upx
behavioral6/files/0x00070000000234f5-867.dat	upx
behavioral6/files/0x00070000000234f4-866.dat	upx
behavioral6/files/0x00070000000234f2-865.dat	upx
behavioral6/files/0x00070000000234f0-864.dat	upx
behavioral6/files/0x0007000000023981-862.dat	upx
behavioral6/files/0x0007000000023978-861.dat	upx
behavioral6/files/0x00070000000238f9-860.dat	upx
behavioral6/files/0x00070000000238f4-859.dat	upx
behavioral6/memory/548-878-0x00007FFD86040000-0x00007FFD86059000-memory.dmp	upx
behavioral6/memory/548-880-0x00007FFD86440000-0x00007FFD8644D000-memory.dmp	upx
behavioral6/memory/548-882-0x00007FFD86290000-0x00007FFD8629F000-memory.dmp	upx
behavioral6/memory/548-885-0x00007FFD86000000-0x00007FFD86036000-memory.dmp	upx
behavioral6/memory/548-887-0x00007FFD85FF0000-0x00007FFD85FFD000-memory.dmp	upx
behavioral6/memory/548-891-0x00007FFD85FD0000-0x00007FFD85FE4000-memory.dmp	upx
behavioral6/memory/548-890-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp	upx
behavioral6/memory/548-892-0x00007FFD758C0000-0x00007FFD75DE9000-memory.dmp	upx
behavioral6/memory/548-893-0x00007FFD861C0000-0x00007FFD861E5000-memory.dmp	upx
behavioral6/memory/548-899-0x00007FFD76BA0000-0x00007FFD76C6D000-memory.dmp	upx
behavioral6/memory/548-898-0x00007FFD861A0000-0x00007FFD861BA000-memory.dmp	upx
behavioral6/memory/548-897-0x00007FFD85AE0000-0x00007FFD85B13000-memory.dmp	upx
behavioral6/memory/548-895-0x00007FFD865B0000-0x00007FFD865BF000-memory.dmp	upx
behavioral6/memory/548-903-0x00007FFD85970000-0x00007FFD85A8A000-memory.dmp	upx
behavioral6/memory/548-902-0x00007FFD86060000-0x00007FFD8608D000-memory.dmp	upx
behavioral6/files/0x0007000000023553-906.dat	upx
behavioral6/memory/548-908-0x00007FFD8AC70000-0x00007FFD8AC88000-memory.dmp	upx
behavioral6/memory/548-910-0x00007FFD85940000-0x00007FFD85964000-memory.dmp	upx
behavioral6/memory/548-913-0x00007FFD77020000-0x00007FFD7719F000-memory.dmp	upx
behavioral6/memory/548-912-0x00007FFD86290000-0x00007FFD8629F000-memory.dmp	upx
behavioral6/files/0x000700000002353a-914.dat	upx
behavioral6/memory/548-917-0x00007FFD86000000-0x00007FFD86036000-memory.dmp	upx
behavioral6/files/0x000700000002353c-916.dat	upx
behavioral6/memory/548-920-0x00007FFD85920000-0x00007FFD8593C000-memory.dmp	upx
behavioral6/memory/548-919-0x00007FFD8AC60000-0x00007FFD8AC6B000-memory.dmp	upx
behavioral6/files/0x00070000000234c8-921.dat	upx
behavioral6/files/0x00070000000234c5-927.dat	upx
behavioral6/memory/548-926-0x00007FFD85910000-0x00007FFD8591B000-memory.dmp	upx
behavioral6/files/0x00070000000234c4-925.dat	upx
behavioral6/memory/548-923-0x00007FFD85FD0000-0x00007FFD85FE4000-memory.dmp	upx
behavioral6/memory/548-928-0x00007FFD758C0000-0x00007FFD75DE9000-memory.dmp	upx
behavioral6/memory/548-929-0x00007FFD85AE0000-0x00007FFD85B13000-memory.dmp	upx
behavioral6/memory/548-934-0x00007FFD858C0000-0x00007FFD858CB000-memory.dmp	upx
behavioral6/memory/548-933-0x00007FFD858F0000-0x00007FFD858FC000-memory.dmp	upx
behavioral6/memory/548-932-0x00007FFD858D0000-0x00007FFD858DC000-memory.dmp	upx
behavioral6/memory/548-931-0x00007FFD858E0000-0x00007FFD858EB000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4792	cmd.exe
772	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3260	WMIC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{35D2A997-F4AC-4C42-82E3-E01F7CE48843}	qpred-setup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
772	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
548	qpred-setup.exe
2100	powershell.exe
2100	powershell.exe
4428	powershell.exe
4428	powershell.exe
4484	powershell.exe
548	qpred-setup.exe
548	qpred-setup.exe
4484	powershell.exe
336	powershell.exe
336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	qpred-setup.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeIncreaseQuotaPrivilege	2952	WMIC.exe
Token: SeSecurityPrivilege	2952	WMIC.exe
Token: SeTakeOwnershipPrivilege	2952	WMIC.exe
Token: SeLoadDriverPrivilege	2952	WMIC.exe
Token: SeSystemProfilePrivilege	2952	WMIC.exe
Token: SeSystemtimePrivilege	2952	WMIC.exe
Token: SeProfSingleProcessPrivilege	2952	WMIC.exe
Token: SeIncBasePriorityPrivilege	2952	WMIC.exe
Token: SeCreatePagefilePrivilege	2952	WMIC.exe
Token: SeBackupPrivilege	2952	WMIC.exe
Token: SeRestorePrivilege	2952	WMIC.exe
Token: SeShutdownPrivilege	2952	WMIC.exe
Token: SeDebugPrivilege	2952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2952	WMIC.exe
Token: SeRemoteShutdownPrivilege	2952	WMIC.exe
Token: SeUndockPrivilege	2952	WMIC.exe
Token: SeManageVolumePrivilege	2952	WMIC.exe
Token: 33	2952	WMIC.exe
Token: 34	2952	WMIC.exe
Token: 35	2952	WMIC.exe
Token: 36	2952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2952	WMIC.exe
Token: SeSecurityPrivilege	2952	WMIC.exe
Token: SeTakeOwnershipPrivilege	2952	WMIC.exe
Token: SeLoadDriverPrivilege	2952	WMIC.exe
Token: SeSystemProfilePrivilege	2952	WMIC.exe
Token: SeSystemtimePrivilege	2952	WMIC.exe
Token: SeProfSingleProcessPrivilege	2952	WMIC.exe
Token: SeIncBasePriorityPrivilege	2952	WMIC.exe
Token: SeCreatePagefilePrivilege	2952	WMIC.exe
Token: SeBackupPrivilege	2952	WMIC.exe
Token: SeRestorePrivilege	2952	WMIC.exe
Token: SeShutdownPrivilege	2952	WMIC.exe
Token: SeDebugPrivilege	2952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2952	WMIC.exe
Token: SeRemoteShutdownPrivilege	2952	WMIC.exe
Token: SeUndockPrivilege	2952	WMIC.exe
Token: SeManageVolumePrivilege	2952	WMIC.exe
Token: 33	2952	WMIC.exe
Token: 34	2952	WMIC.exe
Token: 35	2952	WMIC.exe
Token: 36	2952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4604	wmic.exe
Token: SeSecurityPrivilege	4604	wmic.exe
Token: SeTakeOwnershipPrivilege	4604	wmic.exe
Token: SeLoadDriverPrivilege	4604	wmic.exe
Token: SeSystemProfilePrivilege	4604	wmic.exe
Token: SeSystemtimePrivilege	4604	wmic.exe
Token: SeProfSingleProcessPrivilege	4604	wmic.exe
Token: SeIncBasePriorityPrivilege	4604	wmic.exe
Token: SeCreatePagefilePrivilege	4604	wmic.exe
Token: SeBackupPrivilege	4604	wmic.exe
Token: SeRestorePrivilege	4604	wmic.exe
Token: SeShutdownPrivilege	4604	wmic.exe
Token: SeDebugPrivilege	4604	wmic.exe
Token: SeSystemEnvironmentPrivilege	4604	wmic.exe
Token: SeRemoteShutdownPrivilege	4604	wmic.exe
Token: SeUndockPrivilege	4604	wmic.exe
Token: SeManageVolumePrivilege	4604	wmic.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 548	544	qpred-setup.exe	86
PID 544 wrote to memory of 548	544	qpred-setup.exe	86
PID 548 wrote to memory of 5112	548	qpred-setup.exe	88
PID 548 wrote to memory of 5112	548	qpred-setup.exe	88
PID 5112 wrote to memory of 2100	5112	cmd.exe	90
PID 5112 wrote to memory of 2100	5112	cmd.exe	90
PID 548 wrote to memory of 4172	548	qpred-setup.exe	91
PID 548 wrote to memory of 4172	548	qpred-setup.exe	91
PID 4172 wrote to memory of 4428	4172	cmd.exe	93
PID 4172 wrote to memory of 4428	4172	cmd.exe	93
PID 4172 wrote to memory of 4484	4172	cmd.exe	94
PID 4172 wrote to memory of 4484	4172	cmd.exe	94
PID 4172 wrote to memory of 336	4172	cmd.exe	95
PID 4172 wrote to memory of 336	4172	cmd.exe	95
PID 548 wrote to memory of 1280	548	qpred-setup.exe	103
PID 548 wrote to memory of 1280	548	qpred-setup.exe	103
PID 1280 wrote to memory of 2952	1280	cmd.exe	105
PID 1280 wrote to memory of 2952	1280	cmd.exe	105
PID 548 wrote to memory of 4604	548	qpred-setup.exe	106
PID 548 wrote to memory of 4604	548	qpred-setup.exe	106
PID 548 wrote to memory of 4408	548	qpred-setup.exe	108
PID 548 wrote to memory of 4408	548	qpred-setup.exe	108
PID 4408 wrote to memory of 3260	4408	cmd.exe	110
PID 4408 wrote to memory of 3260	4408	cmd.exe	110
PID 548 wrote to memory of 1496	548	qpred-setup.exe	111
PID 548 wrote to memory of 1496	548	qpred-setup.exe	111
PID 1496 wrote to memory of 1220	1496	cmd.exe	113
PID 1496 wrote to memory of 1220	1496	cmd.exe	113
PID 548 wrote to memory of 4020	548	qpred-setup.exe	114
PID 548 wrote to memory of 4020	548	qpred-setup.exe	114
PID 4020 wrote to memory of 3624	4020	cmd.exe	116
PID 4020 wrote to memory of 3624	4020	cmd.exe	116
PID 548 wrote to memory of 2212	548	qpred-setup.exe	117
PID 548 wrote to memory of 2212	548	qpred-setup.exe	117
PID 2212 wrote to memory of 2396	2212	cmd.exe	119
PID 2212 wrote to memory of 2396	2212	cmd.exe	119
PID 548 wrote to memory of 2696	548	qpred-setup.exe	121
PID 548 wrote to memory of 2696	548	qpred-setup.exe	121
PID 2696 wrote to memory of 4028	2696	cmd.exe	123
PID 2696 wrote to memory of 4028	2696	cmd.exe	123
PID 548 wrote to memory of 4792	548	qpred-setup.exe	124
PID 548 wrote to memory of 4792	548	qpred-setup.exe	124
PID 4792 wrote to memory of 772	4792	cmd.exe	126
PID 4792 wrote to memory of 772	4792	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\qyd priv pred\qpred-setup.exe
"C:\Users\Admin\AppData\Local\Temp\qyd priv pred\qpred-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\qyd priv pred\qpred-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\qyd priv pred\qpred-setup.exe"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2952
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\qyd priv pred\qpred-setup.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\BackupDisconnect.xps

Filesize
973KB

MD5
6baadd0d6e26cb54e82f0cf643e64302

SHA1
3eeb38a344152906d56410390b583d7a6c061288

SHA256
37caee9892d96e8ad11f1b1055b0af65b65e7b4d1361591741b5ab371ab1a6db

SHA512
64bc37917d76aecbdbf91e838e8bfd7691d92fd660c8e84b807bb5c70c31f02a7f579da6798483cfb2c38234f30e1091df74ced2cb929aa0f613a94d11df2906

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\CheckpointEnter.rtf

Filesize
330KB

MD5
ad0a983f6478af5396fcbe0a98039ffa

SHA1
1296a5d84d835dbbf3dbe2be02b77305b01b2f5f

SHA256
3928de7e8a41a69509c03702bc9737d93c9f23694cc7880518ccdfed3d814820

SHA512
e6d5c89527f14ed40b73c3a2d7229c7f61fb7fdf8e7187cc9eb8dd8cf29cb3e566ccb591837fc81ea59b0011b636e6ec9b9f2a3c3a4ee57491bf94d4f9c3f837

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\ClearConvertFrom.docx

Filesize
19KB

MD5
2838c846734f794b7901fcddf30b8c2d

SHA1
34da0f56be5da4cc5cac36d68b2483b302d50c98

SHA256
b3eb508a213acbf8220fb3493d60aa354d33a9c5f8d0059766ed85f9bfebb0c0

SHA512
b79170e6f1dd1d06d0b2d95acb51067cca1feceb7a5fecb29a3252aca0437908b2a04336be8ca034fd1e5c2eacf9fe55da26df90f0917d76ab55f1bbfa7bb3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\CompressConfirm.docx

Filesize
619KB

MD5
8650063ea430fe657dafb50e55b54b97

SHA1
ce946a29c1cb7fc069a1c027f7490b8b2037414b

SHA256
1527f1ea7b4068c921cbdf3a7d77439983826c8b7b56c87df12d54b171f2e60c

SHA512
7c0dae2b7e2b10278d271c30ea595f0eb04a21cdc1142e652ab72f05336801252ab67054114c78e52dd79c1cd333bd8584bf03c8f1529a70f8d10dbe2563bbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\ConnectExit.csv

Filesize
181KB

MD5
ec45b8b4d2b2f340281a09513945433e

SHA1
c91b0a7a1a881a2ac6b6f7bfa6158b36b166ff88

SHA256
19d060a7b68c5d7e751bc555d11bc198d9199dea6b0f1793fd989f1bbf67e4cb

SHA512
cab4f7d5b09ea8cbb67b3ded1a98cfa340c0ee479c2210b433b941aa137f391dd91c8ee710b438bf7c86fa4bf3324b6fdb270e3073b75c6c94a22651432becab

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\DenyAssert.docx

Filesize
18KB

MD5
76c37f33bcfcb49d2044e00ed79e6ef7

SHA1
5d468f64ff4290d2deac2c5da543c63c10533517

SHA256
af0435997380f6322f11663b3c7b9af3b19e1b1a8c3e12610fea169a45f09513

SHA512
ea30aa019dd4fffde47d57f91bab97ba07c809fb4d6ce7b6bb00857969c4f1b1a1afecf83f547cc754b558b988e32d0b8bf23a866bde83c8b83463ab5e4f87f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\DisconnectTrace.pdf

Filesize
442KB

MD5
f7d8a3b0e8c4c7148a6649dd432743a3

SHA1
9aa24fea52beaca7649c6f616b1887fc656434e5

SHA256
28f062f4a10580e6926cdeba5d6b84a3b959eac10926c5931cb49526b269a694

SHA512
edf89420f38aea46449399c82c0628ec127803299d7e8f1e05cefc6a578967dde9f59242798909581ef0d0c1d1a68786edf2343c54eb72a0b9c66070d252dcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\ExportRead.docx

Filesize
14KB

MD5
527d3da6d425b4a6076b7bba5c38015a

SHA1
bcba35e81dfed5982f58c26b118e56077c4a496c

SHA256
b5472c53aa7208b0f80028aba24e206ba5b6fe9a378eec3ab54af3df0112288c

SHA512
62df89727a5f05e23b88880e7873a5356a206f821621732c37f2b6fa1fb74344750b8222989f02171f6306046a935cfd784ab07aa03f1558dc185453aaa6d496

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\GetAdd.txt

Filesize
644KB

MD5
5d1198db55d6933af56d4b9ed80d5f6d

SHA1
7124b0974bb4f3d57e212f5eb3b62b3142a5e722

SHA256
ec368770d0b659962a01ea42e1fd5c7d71f9fd78d0c0fef5c0d446a328b2b98d

SHA512
c93dae8d081d73263dacaeeef509495ec39f699a82e3b9165e8d156d595c0b7b91aeacbde13760f4fbc0e66ba1ff16695faae3b7a6f8d3b86725e6593e60e69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\RemoveNew.docx

Filesize
18KB

MD5
fed4c26259a893764af311fd8b175d59

SHA1
a4b315e1207c3cbc967e661cc92c50592c2c3243

SHA256
5384f56a6ffa9d3ccbb4bef93a90d9d88753cda08348a3cf2125f6cb4de7b028

SHA512
cfdb3d2bd923555c0b436a8759b2ca0507365402ab63f82e05c6e7e66201a8cc79095eca93b65b0e6f0d978d181e4a51baa2ea26777ffa44a23e1718956c81d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxFWAkwhdS\Common Files\RemoveOpen.docx

Filesize
245KB

MD5
e1109a46dd58685a9eb905806c617926

SHA1
5ff1fe5382974997ea72c8bfb1f5f20b21962ade

SHA256
6289568fe75b551141a9041039fa1848876df142434b15a961407e9a91ff6e77

SHA512
473136abe10abb9f2df54c1e336d98608a39eaac3b28d8bd1dc8789417eb9745952f76216456d2fcad4521bf370d85b8c08f82dd263c20101028e68bfaa57a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
d9f0780e8df9e0adb12d1c4c39d6c9be

SHA1
2335d8d81c1a65d4f537553d66b70d37bc9a55b6

SHA256
e91c6bba58cf9dd76cb573f787c76f1da4481f4cbcdf5da3899cce4d3754bbe7

SHA512
7785aadb25cffdb736ce5f9ae4ca2d97b634bc969a0b0cb14815afaff4398a529a5f86327102b8005ace30c0d196b2c221384a54d7db040c08f0a01de3621d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
24e69b6ec11c3099a0ce0f553653ffe8

SHA1
0e351eded34beecddba1f1f55fdbcf2e82388072

SHA256
9399b42e3ee1694b84a07229d4b550ae03162a2fce290ccc8910e0594eb79760

SHA512
a9373f88511bdb44079a5bb0620ff6380622be0695939c1cd3f2c3cdc9918ea6ec18f5c9d44579b4e15ea7a4d61be5c136c73a54bdd0a8c122859b3dc168698c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
768559588eef33d33d9fa64ab5ed482b

SHA1
09be733f1deed8593c20afaf04042f8370e4e82f

SHA256
57d3efc53d8c4be726597a1f3068947b895b5b8aba47fd382c600d8e72125356

SHA512
3bf9cd35906e6e408089faea9ffcdf49cc164f58522764fe9e481d41b0e9c6ff14e13b0954d2c64bb942970bbf9d94d07fce0c0d5fdbd6ca045649675ecff0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_asyncio.pyd

Filesize
37KB

MD5
d9f56d51d32bcbade2d954a9427337dc

SHA1
d0e5cee77d5038193580335e3271bb5f1fb6bfc4

SHA256
1b6c23b6f235ad58e4062b1dc4ce2c36f031f1469bf9e60c11e07603ca4656e3

SHA512
fc18968a319c11b2d9f20a376b93cc74503139506b1c9f9ee3dd226edc1ba753cad85c20368e162c14d26cf2f75f70ae7e82b2b9881088235f5eaca66e8dad66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_bz2.pyd

Filesize
48KB

MD5
9da23eb807a43a954d40048b53a98e6f

SHA1
e639bd9a27409fc72f36b4ec3383eeecdacb9dc5

SHA256
02d0d3c0163f69a7e6713742ab98e73321c5298976089fe9a03b6d91d3293ebb

SHA512
c8d164c8d4722dcd04f13aa11307fddd655e73fd03b15c8056b34252bce925ca679b48032313b8587369500d03574213da20e513c3b4c155099a84de9ac0bba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
e8204fbeced1bbe02489cfee909d573e

SHA1
7625ee886d50ffa837db6e2ade9c74e86f0d4fa2

SHA256
d0aa34b160311a35ca2b888dbb9423e8990962b7c89655a5e9c1ba97324ace6b

SHA512
3638126cc76adb7c4aa23c2d62219dfe8a04cffb3dafac50adbd1f53fc603084f48b9240f10fcd92681bc7fb1f0a54159149e4c90f7ee8043a64c3a5c50bd05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_ctypes.pyd

Filesize
59KB

MD5
78f5225e986641eaebfe2bef27865603

SHA1
118ac80fdf764f5bfbaad2d803420087b854817d

SHA256
ae55ad9ad1f4cbc398cd0c87556f1f263505cde025c7c7f2c43ce4ae818eb183

SHA512
70e18ea660120d60d6bfa17883c2aced276aa858c5da4dca1e1d56203891d996da4f349596c911cb16497db81b42af4ad85e473c3e80f8932557d967c9dad0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_decimal.pyd

Filesize
107KB

MD5
c67548fec576c79aa4c7d829ebbcb8fd

SHA1
3c1dd3daf407257ded9717dadcf017fdd8a2c07c

SHA256
31c2c5200f59969c7078a5a913067dfcdf326cb0d43754e38893239774286fab

SHA512
696d76f6baf739aa2a0d1d057df6d3f8cba1008c0528c8060bb3808a775393bf5e61578154e0d1bd0f3162195b108fbe51daf005d29d368447b5c8fe844a338b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_elementtree.pyd

Filesize
59KB

MD5
22fc5be528d33809cbb192b065cbbb05

SHA1
a15379c180f7fd2970eb37dda69f1961df4bbfc8

SHA256
8987b547d08c762fa665e28636f14d205dbcd3e599fad0beaf7607ef4c3477a8

SHA512
b0a9c62f962e0c2a7d7f37f63f4b39eb64fe884266d88990343cfbbb145d3cfa76332ca6f996a31f912fecc448173acfb08792a22940779403cc99216d699f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_hashlib.pyd

Filesize
35KB

MD5
121f21e4c072b1307ec96e26dbb54f48

SHA1
fd7ffeb22377db68bd6abce8ea526afa14faad0f

SHA256
8dac9aa352bfcb960501682d412a9eeebea5d1cdde3771ba9b70a0ae2e08e883

SHA512
bec606d0b9c4cabc263a4eda3b8cd403e2486a4e3369fe99117386c4d1969248c54d762b465ab5bdf87fdcc7a08bf90aa873064c65063db8cd4dc437e7e1e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_lzma.pyd

Filesize
86KB

MD5
24a598b2caa17caee2e24d2bb97b445d

SHA1
262f07406e170284fea0c1e41093bfe1c4a25eab

SHA256
af4ae25b17c7cf23d06e1f37fdefe903a840073266d4314e410a4acec2af6270

SHA512
7bdf0a599c488436c118523a67ab154a37ffc5aab0ecec95c463bd068d1121b197c0ebb91dc7db3cf2a3db913abaffd0a60aedb373c0e670c63cd8d85f716f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_multiprocessing.pyd

Filesize
27KB

MD5
3cba83d3acab104d0237ca3fd0fda954

SHA1
6fd08494729a6f3bef6b908365268bdac1e170f1

SHA256
a50471d9a065b2e4f0fa61fb88c2dcaa04b7f104fae9ea4bc981d0f6fe39e5fc

SHA512
09105f6e6ad13d8d89ef81f9d8c6273c0c540d29227d653d3e3a86d210030b1737f3779839088bc3ea1e08aaf2de70cf55d5288f34b7441bfbd8999a33b6e2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_overlapped.pyd

Filesize
33KB

MD5
ab8d1617e9c0c43c1683a567498c1441

SHA1
69ee6500c1bb30b437693283075165dec0861433

SHA256
7779b8fc61da810db720956b3d49c0d1c8cd4e05cc662f767fc8f0088cf923d4

SHA512
f1f79c4499b135c56eef659b82fc46e3869519c1adf0704c0e5fab34f593c741549c236c0c62610f4c9ee2ea10e9acbccb39474a518b66f41c84b3466c133b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_queue.pyd

Filesize
26KB

MD5
52e8135f08c61f94b536d1a1c787bf23

SHA1
6ea0d2bd42d3293273b27ea5fb64abef3361ba3f

SHA256
fdcd6416bcbaddc8d0e3b029d2c5f621956066cb95c5fa06c948e7eec25152b8

SHA512
06e75181a0831d1493ecc28a02f2f52fd30c1b53a4053e94a974b577ace6cdc912f1cb7223059cdacecf5fabfff1f2fff2955b1ba8f54ce5b15b7a6eec77c452

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_socket.pyd

Filesize
44KB

MD5
886d68f020a8a2232fbcb8ab431ff9f8

SHA1
65db84d574e9e38281475cb6d86acb94c74ce5b9

SHA256
199c490b67f4364a78c6ba7df595e13e483e110345d067bf57b3826d3bf06715

SHA512
bb33bb67ee0204817282373f72a2666aa32e8e47a717e443247bd493853f804949bb59ae3b4a213fcad306d1ced123cd1377e05df3e353400120928597ed34da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_sqlite3.pyd

Filesize
57KB

MD5
4381c00145ed565ed992f415aa4e33da

SHA1
378be370c2290e9d6a9dee406f989c211cf0efe2

SHA256
d81d61074ed8a476af01a46eefb32a908eb8ab34f7cf7d4f53dcfd8274a163be

SHA512
57b527e0a2f55c45e1aaee147adb67933b6f6acd5f8eebe6efe97fc5f8c23f20a1303972b45076565d0bff880b751fc039a85673ee88a77a17f969e17ec0a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_ssl.pyd

Filesize
66KB

MD5
e5353f0aa2c35efd5b4a1a0805a6978c

SHA1
d92f1066fe79dc1a1afe7ca3c0b9e803aced7e9f

SHA256
908a3938b962132f3f4429badad0e26a8b138de192a060ca1c1067e2b2ce128a

SHA512
11c632e69c982a77053fefb22e764dfdb30f6d10abe6c88e2512aa7daf26a0ef59dcc109d262cdb58875f2fba46312027b6e180dc7f0fa24ddc02b78a55c0c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_uuid.pyd

Filesize
25KB

MD5
8f5402bb6aac9c4ff9b4ce5ac3f0f147

SHA1
87207e916d0b01047b311d78649763d6e001c773

SHA256
793e44c75e7d746af2bb5176e46c454225f07cb27b1747f1b83d1748d81ad9ac

SHA512
65fdef32aeba850aa818a8c8bf794100725a9831b5242350e6c04d0bca075762e1b650f19c437a17b150e9fca6ad344ec4141a041fa12b5a91652361053c7e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_wmi.pyd

Filesize
28KB

MD5
9ba21832765a278dfc220426e9c6a2e3

SHA1
b82716b165f3094b70e41a01b4785ca1b1e2c2de

SHA256
aa23361fc26c1b91fcc458156eeca0ee869c6f9eca30182ceb2b83c810cfaab4

SHA512
a9232b7593c29543091c0f7d1043cc1b39ff0b7c324362fe860d3ee0674ca069c93a85d0a8c2bb6133904318f67e448c1fd99e491f0ddda57d8d9f984ed106a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\base_library.zip

Filesize
1.3MB

MD5
763d1a751c5d47212fbf0caea63f46f5

SHA1
845eaa1046a47b5cf376b3dbefcf7497af25f180

SHA256
378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7

SHA512
bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\certifi\cacert.pem

Filesize
268KB

MD5
59a15f9a93dcdaa5bfca246b84fa936a

SHA1
7f295ea74fc7ed0af0e92be08071fb0b76c8509e

SHA256
2c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524

SHA512
746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\luna.aes

Filesize
61KB

MD5
b80144d5415de7500a4043585c0847bf

SHA1
3697ce3e4c3686b29eddc91165d6603e07937e6e

SHA256
e73afff4b1a202c892ba78c9d39ddbfe89020e1ca07fb5ac4e98437125f995ff

SHA512
eb3fb0f24117cfdd5cd8336267b86cb9b3d65d4257f479b3a80405aa0e47dd85d93bfa7c0afd2c6ebe49263680addb4a5f2eb4240e9d6fc182180588f64d43f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\lz4\_version.cp312-win_amd64.pyd

Filesize
9KB

MD5
2792ecc8fd33e03d84a8554dc8518db4

SHA1
89465011321f5cecdad86e6f835aa1d8d0ad13d2

SHA256
36c5354b5f4dd1bc66ebbc73474bd9d663662769833045735ec6751a3bf69d76

SHA512
1c65466454ae5da134d7cd59d663d82cff87e95fa8060befa9aa82a3793dbf8a987936df29b04ec5b0be42cfa8af16f18b3e7c4c7b7b5c6bf03a042b8070c879

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\lz4\block\_block.cp312-win_amd64.pyd

Filesize
32KB

MD5
3343d0b8c531b780b2a6b3cda19d7b7f

SHA1
bdb760d25d3d9da136901f43d505493159fe4fd7

SHA256
53b59145c034e9374b29cdb2a9901d6591670b42306b4ab97a89e671e0f5e775

SHA512
84f76063d2bd413717ba1c247682a7f2845f87bc19048adad532ff79e7cabf687848356d9a9b82781acca5843c425da4c0e52691bee8065787be7d7a6d0f76fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\pyexpat.pyd

Filesize
88KB

MD5
cfcb1a1159cc2aadba3c62ac44dc2363

SHA1
e19df1a6c3dfa545c6b2c20355b24584933d7f9f

SHA256
279aac95d765000d7b3b09b75e66a311a03833a0e28361683cf41161f37e3331

SHA512
f7f42bc3eb6a2db706f784e2b772c3ce5d0f87b4b3ff6bda6d2f934aecce0174d52623aad0a082dd1efc0f70c990a07fa9768ac96d42ddb52ea5be594198b447

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\python3.DLL

Filesize
66KB

MD5
8dbe9bbf7118f4862e02cd2aaf43f1ab

SHA1
935bc8c5cea4502d0facf0c49c5f2b9c138608ed

SHA256
29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db

SHA512
938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\python312.dll

Filesize
1.7MB

MD5
ca67f0baf3cc3b7dbb545cda57ba3d81

SHA1
5b4e36aef877307af8a8f78f3054d068d1a9ce89

SHA256
f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3

SHA512
a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\select.pyd

Filesize
25KB

MD5
6c123b56f3a37c129eff6fc816868b25

SHA1
ac6b6e3bdc53870ba044a38b9ae9a067b70e7641

SHA256
99687f9b1648ac684dfb7937c75e3e50dc16704abd4c4c19601c40ec6971c5ee

SHA512
b840871278a6cc32d5ab0cc6d9c129da0ba2d08b93c3c6c000e3989fe1ab8b09ed82ca547a1057690f52f22e44b203f424e2ccd9655be82a1094547a94ddc3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\setuptools\_vendor\autocommand-2.2.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\sqlite3.dll

Filesize
644KB

MD5
132614956f138f3594d1053e3fac4779

SHA1
95115f866a87db308ff00af0273e04e31a3fdaae

SHA256
2a4ae8ca681fa6f8de3b6dbcc3d32652ea3ab3ee7e2be80b7aff822a382ca8ff

SHA512
5b12b51c78bd72f410e2f53c086322557591d9d66b6d473264fa731763ec2317470009c13cbb9d0985c9006c7f62c4eed14c263295bd7ef11db0bc492c2ca5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\unicodedata.pyd

Filesize
296KB

MD5
3d5cb46d212da9843d199f6989b37cd5

SHA1
ce5e427d49ea1adba9c941140f3502c969b6819e

SHA256
50a55bc145b1f43e5125ef0b09e508946221d02d5fea1b7550a43d8c8c41c970

SHA512
c52014c96578db4c7f97878a13ca8c2a4574cc6671689bb554382ad0e593eb87fac55961c7c11ef82b04627fb851ac44848bac9ec91fca0afaa965e4f1f24aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixkf1fer.3uy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/548-880-0x00007FFD86440000-0x00007FFD8644D000-memory.dmp

Filesize
52KB

Download
memory/548-1035-0x00007FFD81220000-0x00007FFD81249000-memory.dmp

Filesize
164KB

Download
memory/548-903-0x00007FFD85970000-0x00007FFD85A8A000-memory.dmp

Filesize
1.1MB

Download
memory/548-908-0x00007FFD8AC70000-0x00007FFD8AC88000-memory.dmp

Filesize
96KB

Download
memory/548-910-0x00007FFD85940000-0x00007FFD85964000-memory.dmp

Filesize
144KB

Download
memory/548-913-0x00007FFD77020000-0x00007FFD7719F000-memory.dmp

Filesize
1.5MB

Download
memory/548-912-0x00007FFD86290000-0x00007FFD8629F000-memory.dmp

Filesize
60KB

Download
memory/548-895-0x00007FFD865B0000-0x00007FFD865BF000-memory.dmp

Filesize
60KB

Download
memory/548-917-0x00007FFD86000000-0x00007FFD86036000-memory.dmp

Filesize
216KB

Download
memory/548-897-0x00007FFD85AE0000-0x00007FFD85B13000-memory.dmp

Filesize
204KB

Download
memory/548-920-0x00007FFD85920000-0x00007FFD8593C000-memory.dmp

Filesize
112KB

Download
memory/548-919-0x00007FFD8AC60000-0x00007FFD8AC6B000-memory.dmp

Filesize
44KB

Download
memory/548-898-0x00007FFD861A0000-0x00007FFD861BA000-memory.dmp

Filesize
104KB

Download
memory/548-899-0x00007FFD76BA0000-0x00007FFD76C6D000-memory.dmp

Filesize
820KB

Download
memory/548-926-0x00007FFD85910000-0x00007FFD8591B000-memory.dmp

Filesize
44KB

Download
memory/548-893-0x00007FFD861C0000-0x00007FFD861E5000-memory.dmp

Filesize
148KB

Download
memory/548-923-0x00007FFD85FD0000-0x00007FFD85FE4000-memory.dmp

Filesize
80KB

Download
memory/548-928-0x00007FFD758C0000-0x00007FFD75DE9000-memory.dmp

Filesize
5.2MB

Download
memory/548-929-0x00007FFD85AE0000-0x00007FFD85B13000-memory.dmp

Filesize
204KB

Download
memory/548-934-0x00007FFD858C0000-0x00007FFD858CB000-memory.dmp

Filesize
44KB

Download
memory/548-933-0x00007FFD858F0000-0x00007FFD858FC000-memory.dmp

Filesize
48KB

Download
memory/548-932-0x00007FFD858D0000-0x00007FFD858DC000-memory.dmp

Filesize
48KB

Download
memory/548-931-0x00007FFD858E0000-0x00007FFD858EB000-memory.dmp

Filesize
44KB

Download
memory/548-930-0x00007FFD85900000-0x00007FFD8590B000-memory.dmp

Filesize
44KB

Download
memory/548-935-0x00007FFD76BA0000-0x00007FFD76C6D000-memory.dmp

Filesize
820KB

Download
memory/548-937-0x00007FFD85970000-0x00007FFD85A8A000-memory.dmp

Filesize
1.1MB

Download
memory/548-939-0x00007FFD85890000-0x00007FFD8589E000-memory.dmp

Filesize
56KB

Download
memory/548-944-0x00007FFD85870000-0x00007FFD8587B000-memory.dmp

Filesize
44KB

Download
memory/548-943-0x00007FFD85940000-0x00007FFD85964000-memory.dmp

Filesize
144KB

Download
memory/548-942-0x00007FFD85880000-0x00007FFD8588C000-memory.dmp

Filesize
48KB

Download
memory/548-941-0x00007FFD77020000-0x00007FFD7719F000-memory.dmp

Filesize
1.5MB

Download
memory/548-940-0x00007FFD8AC70000-0x00007FFD8AC88000-memory.dmp

Filesize
96KB

Download
memory/548-938-0x00007FFD858A0000-0x00007FFD858AC000-memory.dmp

Filesize
48KB

Download
memory/548-936-0x00007FFD858B0000-0x00007FFD858BC000-memory.dmp

Filesize
48KB

Download
memory/548-945-0x00007FFD85860000-0x00007FFD8586B000-memory.dmp

Filesize
44KB

Download
memory/548-946-0x00007FFD85850000-0x00007FFD8585C000-memory.dmp

Filesize
48KB

Download
memory/548-947-0x00007FFD85840000-0x00007FFD8584C000-memory.dmp

Filesize
48KB

Download
memory/548-948-0x00007FFD857C0000-0x00007FFD857CD000-memory.dmp

Filesize
52KB

Download
memory/548-949-0x00007FFD857A0000-0x00007FFD857B2000-memory.dmp

Filesize
72KB

Download
memory/548-950-0x00007FFD85790000-0x00007FFD8579C000-memory.dmp

Filesize
48KB

Download
memory/548-951-0x00007FFD81220000-0x00007FFD81249000-memory.dmp

Filesize
164KB

Download
memory/548-952-0x00007FFD80700000-0x00007FFD8072E000-memory.dmp

Filesize
184KB

Download
memory/548-953-0x00007FFD75290000-0x00007FFD756B5000-memory.dmp

Filesize
4.1MB

Download
memory/548-954-0x00007FFD73EE0000-0x00007FFD75287000-memory.dmp

Filesize
19.7MB

Download
memory/548-955-0x00007FFD7D090000-0x00007FFD7D0B2000-memory.dmp

Filesize
136KB

Download
memory/548-956-0x00007FFD85840000-0x00007FFD8584C000-memory.dmp

Filesize
48KB

Download
memory/548-1392-0x00007FFD858F0000-0x00007FFD858FC000-memory.dmp

Filesize
48KB

Download
memory/548-892-0x00007FFD758C0000-0x00007FFD75DE9000-memory.dmp

Filesize
5.2MB

Download
memory/548-978-0x00007FFD857C0000-0x00007FFD857CD000-memory.dmp

Filesize
52KB

Download
memory/548-1033-0x00007FFD857A0000-0x00007FFD857B2000-memory.dmp

Filesize
72KB

Download
memory/548-1034-0x00007FFD85790000-0x00007FFD8579C000-memory.dmp

Filesize
48KB

Download
memory/548-902-0x00007FFD86060000-0x00007FFD8608D000-memory.dmp

Filesize
180KB

Download
memory/548-1036-0x00007FFD80700000-0x00007FFD8072E000-memory.dmp

Filesize
184KB

Download
memory/548-1037-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp

Filesize
6.8MB

Download
memory/548-1068-0x00007FFD75290000-0x00007FFD756B5000-memory.dmp

Filesize
4.1MB

Download
memory/548-1052-0x00007FFD8AC70000-0x00007FFD8AC88000-memory.dmp

Filesize
96KB

Download
memory/548-1049-0x00007FFD85AE0000-0x00007FFD85B13000-memory.dmp

Filesize
204KB

Download
memory/548-1038-0x00007FFD861C0000-0x00007FFD861E5000-memory.dmp

Filesize
148KB

Download
memory/548-890-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp

Filesize
6.8MB

Download
memory/548-891-0x00007FFD85FD0000-0x00007FFD85FE4000-memory.dmp

Filesize
80KB

Download
memory/548-887-0x00007FFD85FF0000-0x00007FFD85FFD000-memory.dmp

Filesize
52KB

Download
memory/548-885-0x00007FFD86000000-0x00007FFD86036000-memory.dmp

Filesize
216KB

Download
memory/548-882-0x00007FFD86290000-0x00007FFD8629F000-memory.dmp

Filesize
60KB

Download
memory/548-878-0x00007FFD86040000-0x00007FFD86059000-memory.dmp

Filesize
100KB

Download
memory/548-855-0x00007FFD86060000-0x00007FFD8608D000-memory.dmp

Filesize
180KB

Download
memory/548-852-0x00007FFD861A0000-0x00007FFD861BA000-memory.dmp

Filesize
104KB

Download
memory/548-849-0x00007FFD865B0000-0x00007FFD865BF000-memory.dmp

Filesize
60KB

Download
memory/548-847-0x00007FFD861C0000-0x00007FFD861E5000-memory.dmp

Filesize
148KB

Download
memory/548-838-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp

Filesize
6.8MB

Download
memory/548-1103-0x00007FFD73EE0000-0x00007FFD75287000-memory.dmp

Filesize
19.7MB

Download
memory/548-1104-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp

Filesize
6.8MB

Download
memory/548-1402-0x00007FFD85FD0000-0x00007FFD85FE4000-memory.dmp

Filesize
80KB

Download
memory/548-1401-0x00007FFD85920000-0x00007FFD8593C000-memory.dmp

Filesize
112KB

Download
memory/548-1403-0x00007FFD75DF0000-0x00007FFD764B5000-memory.dmp

Filesize
6.8MB

Download
memory/548-1421-0x00007FFD85880000-0x00007FFD8588C000-memory.dmp

Filesize
48KB

Download
memory/548-1420-0x00007FFD85970000-0x00007FFD85A8A000-memory.dmp

Filesize
1.1MB

Download
memory/548-1419-0x00007FFD85890000-0x00007FFD8589E000-memory.dmp

Filesize
56KB

Download
memory/548-1418-0x00007FFD858B0000-0x00007FFD858BC000-memory.dmp

Filesize
48KB

Download
memory/548-1417-0x00007FFD85870000-0x00007FFD8587B000-memory.dmp

Filesize
44KB

Download
memory/548-1416-0x00007FFD758C0000-0x00007FFD75DE9000-memory.dmp

Filesize
5.2MB

Download
memory/548-1415-0x00007FFD858D0000-0x00007FFD858DC000-memory.dmp

Filesize
48KB

Download
memory/548-1414-0x00007FFD858E0000-0x00007FFD858EB000-memory.dmp

Filesize
44KB

Download
memory/548-1413-0x00007FFD858C0000-0x00007FFD858CB000-memory.dmp

Filesize
44KB

Download
memory/548-1412-0x00007FFD85910000-0x00007FFD8591B000-memory.dmp

Filesize
44KB

Download
memory/548-1411-0x00007FFD85FF0000-0x00007FFD85FFD000-memory.dmp

Filesize
52KB

Download
memory/548-1410-0x00007FFD8AC60000-0x00007FFD8AC6B000-memory.dmp

Filesize
44KB

Download
memory/548-1409-0x00007FFD85900000-0x00007FFD8590B000-memory.dmp

Filesize
44KB

Download
memory/548-1408-0x00007FFD85940000-0x00007FFD85964000-memory.dmp

Filesize
144KB

Download
memory/548-1407-0x00007FFD8AC70000-0x00007FFD8AC88000-memory.dmp

Filesize
96KB

Download
memory/548-1406-0x00007FFD858A0000-0x00007FFD858AC000-memory.dmp

Filesize
48KB

Download
memory/548-1405-0x00007FFD85AE0000-0x00007FFD85B13000-memory.dmp

Filesize
204KB

Download
memory/548-1404-0x00007FFD76BA0000-0x00007FFD76C6D000-memory.dmp

Filesize
820KB

Download
memory/548-1400-0x00007FFD86000000-0x00007FFD86036000-memory.dmp

Filesize
216KB

Download
memory/548-1399-0x00007FFD86290000-0x00007FFD8629F000-memory.dmp

Filesize
60KB

Download
memory/548-1398-0x00007FFD86440000-0x00007FFD8644D000-memory.dmp

Filesize
52KB

Download
memory/548-1397-0x00007FFD86040000-0x00007FFD86059000-memory.dmp

Filesize
100KB

Download
memory/548-1396-0x00007FFD86060000-0x00007FFD8608D000-memory.dmp

Filesize
180KB

Download
memory/548-1395-0x00007FFD861A0000-0x00007FFD861BA000-memory.dmp

Filesize
104KB

Download
memory/548-1394-0x00007FFD865B0000-0x00007FFD865BF000-memory.dmp

Filesize
60KB

Download
memory/548-1393-0x00007FFD861C0000-0x00007FFD861E5000-memory.dmp

Filesize
148KB

Download
memory/2100-957-0x00000240C0BC0000-0x00000240C0BE2000-memory.dmp

Filesize
136KB

Download